[one-users] Fwd: ACLs and users authentification

Пярн Артур dekkart at yandex.ru
Thu Sep 6 03:49:43 PDT 2012


Thank you Hector for your reply. I'm using Chrome (last version), also tryed Firefox - and still the same.
Deleting cookies haven't changed the situation. JS log without errors. I think I will try reinstall Sunstone later.
But problem with dissappearing tabs appeared not first time. Some time ago dissapeared some tabs in host management. If there will be another possibilities to check - I will be glad to hear.

06.09.2012, 12:30, "Hector Sanjuan" <hsanjuan at opennebula.org>:
> Hello,
>
> Which browser and version are you using? The username is missing on the
> Welcome: label on top, which indicates there is a problem with the
> sunstone cookie very possibly. This explains why the chown/chgrp buttons
> are not showing either.
>
> Can you delete cookies and cache and reload? Check that your browser or a
> plugin of it is not blocking cookies etc. Check the browser console for
> any errors, specially javascript-related ones. Thanks!
>
> Hector
>
> En Thu, 06 Sep 2012 09:57:12 +0200, Пярн Артур <dekkart at yandex.ru>
> escribió:
>
>>  Hi Carlos,
>>
>>  Thank you very much, I understood. It seems the problem is that there is
>>  no
>>  specific tabs in sunstone they should be - to change owner and group of
>>  specific
>>  resourse (in screenshots). That's what confussed me.
>>
>>  I found how to do it in CLI, but anyway I don't now why Sunstone working
>>  not
>>  correctly not showing some tabs. Also Sunstone doesn't show user name in
>>  greeting field (i made red circles around it)
>>
>>  I did defualt installation and changed only system settings in
>>  sunstone.conf (ports,
>>  vnc, ip, etc.).
>>
>>  Screenshots and sunstone log in attach (NO ERRORS FOUND).
>>
>>  --------------------------------------
>>
>>  Server configuration
>>
>>  --------------------------------------
>>
>>  {:auth=>"sunstone",
>>
>>  :vnc_proxy_cert=>nil,
>>
>>  :vnc_proxy_path=>"/srv/cloud/one/share/noVNC/utils/websockify",
>>
>>  :vnc_proxy_key=>nil,
>>
>>  :vnc_proxy_support_wss=>false,
>>
>>  :debug_level=>3,
>>
>>  :host=>"0.0.0.0",
>>
>>  :vnc_proxy_base_port=>29876,
>>
>>  :port=>8888,
>>
>>  :one_xmlrpc=>"http://localhost:2633/RPC2",
>>
>>  :core_auth=>"cipher",
>>
>>  :lang=>"en_US"}
>>
>>  == Sinatra/1.3.2 has taken the stage on 8888 for development with backup
>>  from
>>  Thin
>>
>>  Thu Sep 06 03:24:42 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:42] "GET /
>>  HTTP/1.1"
>>  200 1595 0.0075
>>
>>  Thu Sep 06 03:24:42 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:42] "GET
>>  /favicon.ico
>>  HTTP/1.1" 401 - 0.0010
>>
>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "POST
>>  /login
>>  HTTP/1.1" 204 - 0.0691
>>
>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET /
>>  HTTP/1.1"
>>  200 4630 0.0067
>>
>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET
>>  /vendor/noVNC/include/plain.css
>>  HTTP/1.1" 404 466 0.0013
>>
>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET
>>  /host/monitor?title=graph1&monitor_resources=cpu_usage%2Cused_cpu%2Cmax_$
>>
>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET
>>  /host/monitor?title=graph2&monitor_resources=mem_usage%2Cused_mem%2Cmax_$
>>
>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET
>>  /vm/monitor?title=graph3&monitor_resources=total%2Cactive%2Cerror&histor$
>>
>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET
>>  /config
>>  HTTP/1.1" 200 40 0.0021
>>
>>  Thu Sep 06 03:24:49 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:49] "GET
>>  /vm/monitor?title=graph4&monitor_resources=net_tx%2Cnet_rx&history_lengt$
>>
>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>  /user?timeout=false
>>  HTTP/1.1" 200 1432 0.0054
>>
>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>  /group?timeout=false
>>  HTTP/1.1" 200 554 0.0042
>>
>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>  /acl?timeout=false
>>  HTTP/1.1" 200 1057 0.0046
>>
>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>  /vm?timeout=false
>>  HTTP/1.1" 200 4255 0.0079
>>
>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>  /vmtemplate?timeout=false
>>  HTTP/1.1" 200 2978 0.0072
>>
>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>  /image?timeout=false
>>  HTTP/1.1" 200 3632 0.0077
>>
>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>  /cluster?timeout=false
>>  HTTP/1.1" 200 27 0.0344
>>
>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>  /host?timeout=false
>>  HTTP/1.1" 200 2498 0.0088
>>
>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>  /datastore?timeout=false
>>  HTTP/1.1" 200 1580 0.0052
>>
>>  Thu Sep 06 03:24:50 2012 [I]: 10.2.0.3 - - [06/Sep/2012 03:24:50] "GET
>>  /vnet?timeout=false
>>  HTTP/1.1" 200 1406 0.0051
>>
>>  etc.
>>
>>  05.09.2012, 19:20, "Carlos Martín Sánchez" <cmartin at opennebula.org>:
>>
>>  Hi,
>>
>>  That's not the normal behaviour, you may have changed some configuration
>>  during
>>  your tests.
>>
>>  ACL rules in OpenNebula only add permissions, there is no option to make
>>  other
>>  resources invisible, because by default they are.
>>
>>  Users can only list the resources they have USE permissions over. If
>>  your users
>>  can list VMs from other group, it is because you have an ACL that allows
>>  it, or
>>  because you changed the VM permissions to allow USE to 'others', see [1].
>>
>>  If you need more specific help, please include the output of oneacl list.
>>
>>  Regards,
>>
>>  Carlos
>>
>>  [1] http://opennebula.org/documentation:rel3.6:chmod
>>
>>  --
>>  Carlos Martín, MSc
>>  Project Engineer
>>  OpenNebula - The Open-source Solution for Data Center Virtualization
>>
>>  www.OpenNebula.org | cmartin at opennebula.org | @OpenNebula
>>
>>  On Wed, Sep 5, 2012 at 3:37 PM, Пярн Артур <dekkart at yandex.ru> wrote:
>>
>>  Hi
>>
>>  I'm testing opennebula in multi-tenant envirements and found an
>>  upsetting issue.
>>
>>  When i put users in groups (for example company A and company B groups),
>>  i can't
>>  find anything in options and in documentation (ACLs, etc.) to make
>>  company A VMs
>>  invisible to company B VMs and opposite.
>>
>>  They just can't do anything with not their own machines, but the still
>>  see all
>>  the pool of virtual machines. This is not good in such case.
>>
>>  I will be pleased to hear any advice.
>>
>>  Thank you in advance.
>
> --
> Hector Sanjuan
> OpenNebula Developer

-- 
С уважением, Артур Пярн



More information about the Users mailing list